\documentclass[a4paper,10pt]{article}
\usepackage[margin=1in]{geometry}
\usepackage{url}
\usepackage{graphicx}
\usepackage{amsmath}
\usepackage{subfig}
\usepackage{wrapfig}
\title{OS report for BlackBerry}
\author{Andrew Branscomb, Matthew Marum, Vasant Tendulkar}
\date{February 2, 2012}
\begin{document}

\maketitle
\section{Application Framework and Structure}
There are five different application frameworks on the BlackBerry platforms. The traditional BlackBerry OS permits Java apps and HTML5 apps through the WebWorks framework. Research In Motion is currently in the process of switching over to a wholly different OS. Currently, this is only available on the PlayBook. The new OS runs apps from four different frameworks. Developers can write apps for Adobe AIR, HTML5, or repackage Android apps. The OS is POSIX compliant and also provides a set of interfaces and libraries for native C/C++ code \cite{4A}. 
\subsection{Classic BlackBerry OS}
The BlackBerry OS currently used on all BlackBerry smartphones is a proprietary OS written in-house by BlackBerry. It supports apps written in Java and WebWorks HTML5.

\subsubsection{Java}
The Java API provides an Application class which all apps extend. Apps can be started manually by the user, at boot, by another app, or at a scheduled time. The Application Manager starts the App and sets up a process in which it can run. Apps can have multiple entry points that can be used for things like playing a specified song directly instead of opening the music library in a hypothetical music player. The process in which the app runs can have many threads, and the architecture (only one app has control of the UI at any one time; background threads of many apps can be active simultaneously) is similar to Android. Events can be broadcast to multiple apps or background threads \cite{2A}.
\subsection{BlackBerry Tablet OS}
The BlackBerry Tablet OS (and future smartphone OSes) is based on the long-lived QNX real-time OS. QNX is a microkernel OS that has been in development for 30 years and has been used mainly in embedded devices and applications that require the OS to guarantee access to system resources. QNX-based operating systems have been historically used for “life-critical systems such as air traffic control systems, surgical equipment, and nuclear power plants” \cite{1A}. The operating system can ensure “deterministic response times” of applications \cite{1A}. One of the design goals of QNX was complete compartmentalization of all OS code in different user-space processes. According to the vendor, “[v]irtually any component can fail — and be automatically restarted — without affecting other components or the kernel” \cite{1A}. 
\subsubsection{Native C/C++}
QNX is POSIX compliant \cite{1A}; therefore, existing applications written for other POSIX compliant OSes can be easily ported. The BlackBerry Tablet OS provides a large number of open source libraries such as Boost, Qt, and several physics/game engines for use by third-party applications. Apps that are written to run natively can take advantage of the system resource guarantees provided by the operating system if they wish. Any app that requires substantial processing power would probably be best-served by using this framework \cite{4A}. 
\subsubsection{Adobe AIR/ WebWorks HTML5}
These are two conceptually similar frameworks. Adobe AIR is designed to run Flash apps in a standalone manner; WebWorks does the same with HTML5/CSS/JavaScript \cite{7A, 8A}. Since these are installed as apps and not run in the browser, the APIs provide access to such interfaces as the GPS and SMS/BBM service. WebWorks works with PhoneGap applications and therefore has the advantage of allowing the same app to run on BlackBerry, Android, and iOS (among others)\cite{5A,6A}. AIR allows portions of code to run natively for resource-intensive sections \cite{9A}. 
\subsubsection{Android Apps}
RIM provides tools (currently in beta) for repackaging Android apps to run on the BlackBerry Tablet OS. There are some changes to the UI that are made by the tools. Most apps have a toolbar added that contains a back button, since the PlayBook does not have a hardware back button. Notifications are delivered through the BlackBerry notification path, as might be expected \cite{3A}. 


\section{API Survey}
\subsection{BlackBerry MDS Services}
BlackBerry applications that wish to utilize a push model can be written using BlackBerry MDS Services.  BlackBerry MDS Services run on a BlackBerry Enterprise Server (typically behind a corporate firewall) and can push data to MDS clients running on BlackBerry devices via the BlackBerry infrastructure.  This infrastructure encrypts your data from the point it leaves the BlackBerry Enterprise Server until it reaches the device where it is decrypted locally.

Typically this environment is useful in allowing employees working in the field to securely access enterprise applications (Customer Relationship Management systems, E-Mail, etc) from their phones.  The push architecture also improved greatly on models where devices poll for updates (fetch) because it would tend to drain battery life over time and affect device performance.

\subsection{Device API Features}
\begin{itemize}
 \item \textbf{Data Storage}

  A variety of storage APIs exist. Developers can access the Filesystem and Relational Database storage. There is an Object persistence framework that allows you to persist objects between system restarts and a Runtime storage framework for sharing Objects between different Runtime applications. Filesystem access is considered a privileged API.
 \item \textbf{SMS, BBM}

  BlackBerry devices support sending standard SMS and MMS messages. BlackBerry also supports BlackBerry Messaging which is a popular proprietary messaging system that allows BlackBerry devices to send each other messages without the service provider charges associated with SMS and MMS. Messaging access uses privileged APIs.
 \item \textbf{Device Motion}

  Developers can build applications that adapt to the motion of the device or the orientation.
 \item \textbf{Location Based Services/ GPS}

  Privileged APIs exist for accessing location information like GPS, Compass, etc.
 \item \textbf{Identity}

  The privileged Identity service allow developers to access user identity and accounts on the phone.
 \item \textbf{Invoke(RPC mechanism)}

  Privileged API that allows developers to call internal applications.
 \item \textbf{Media I/O (Camera, Video, Audio)} 

  Privileged API that allows developers to call internal applications.
 \item \textbf{Network / Communications} 

  APIs exist for accessing all the different media interfaces on the BlackBerry smartphone.  Accessing the Camera and Microphone are considered 
 \item \textbf{Phone}

  Privileged APIs for making phone calls, accessing call information, and for displaying a dialing screen to the user.
 \item \textbf{Payment}

  Payment service is a convenient way for developers to initiate a flow to allow for payment for digital goods \& services.  For example, this service could allow a user to buy new ringtones for their phone.
 \item \textbf{PIM (J2ME Personal Information Management APIs)}

  Privileged APIs for managing access to personal information.  You would use these APIs to access a user’s list of Contacts or Calendars.
 \item \textbf{Push (Push data event callbacks)}

  Service that allows for Server-based BlackBerry applications to push data to phones.  Push service is used to register Push Data event callbacks that are fired when data gets pushed to the phone by a BlackBerry Server application.
 \item \textbf{System (System level functions)}

  APIs for access application information and device level data like network address, battery state, API version information, etc.
 \item \textbf{Touch (interface)}

  Rich APIs that allow for the capture of a variety of gestures and touch events.
 \item \textbf{User Interface (Native UI control, Dialogs, Menus, etc,)}

  APIs for building applications with native look and feel for BlackBerry
 \item \textbf{Utilities}

  Variety of utility APIs exist for BlackBerry including cryptography services for Java based APIs and URL based utilities for WebWorks applications.
\end{itemize}


\subsection{BlackBerry Java APIs}
The BlackBerry Java APIs are the best choice when requiring compatibility with older versions of BlackBerry devices or other devices built on J2ME.  The APIs available are a mixture of J2ME and BlackBerry extensions to allow tighter integration.  These APIs allow full control over many low level capabilities of the device.  For example, the APIs offer full control over all the aspects of the camera from zoom, interface, and exposure settings but no single API exists for “get a snapshot”\cite{API}. Most privileged APIs are enforced at runtime with pop-ups sent to a user to Allow/Deny privileged API calls being made by the application.

The BlackBerry Java APIs have the most documentation and sample projects available to the framework which makes it the easiest one to use in order to get started developing on BlackBerry.  However, the BlackBerry Java API is being deprecated in favor of a brand new operating system and application development platform seen on the new BlackBerry PlayBook Tablets.

\subsection{BlackBerry WebWorks (HTML5)}

WebWorks API allows developers to build web applications with all the features and capabilities of natively running BlackBerry applications.  The APIs aren’t as fully featured as the native APIs but allow developers to accomplish most of the same use cases.  For example, a developer doesn’t get detailed control over the camera, but it is possible for an application to prompt the user to take a snapshot image with a single JavaScript API call.

WebWorks applications must declare the privileged APIs they will be accessing from a config.xml file. The config.xml file is also where developers white list domains that the web application can access external domains via HTTP\cite{WEB}. WebWorks heavily leverages HTML5 to provide web application developers standard ways to access device capability that works across platforms.  Some of those HTML5 capabilities are described below.
\begin{itemize}
 \item \textbf{Data Storage (HTML5)}

  HTML5 provides JavaScript APIs for accessing a WebSQL database that can be used by web applications to store data on device so they can operate when data connectivity is unavailable.
 \item \textbf{Cache (HTML5)}

  Another HTML5 feature ApplicationCache can be used to allow an application to control what data (HTML, JavaScript files, Images, etc)  the browser should cache to allow offline usage.
 \item \textbf{HTML5 APIs for Device Motion, GPS, and Touch}

  HTML5 allows web applications to subscribe to device motion events so UI can better adapt to different device orientations, etc.  There also is now a standard geolocation JavaScript API that can be used when that information is available.  A JavaScript API for handling multi-touch events within the browser was also added in HTML5.  
 \item \textbf{HTML5 User Interface}

  HTML5 added a new Canvas element that allows for dynamic 2D rendering of shapes, lines, images, etc.  PlayBook OS also supports the WebGL Canvas element which allows rendering of OpenGL (hardware accelerated) graphics within the web browser. HTML5 also standardized the embedding of audio and video content into a web page through the introduction of audio and video tags.
 \item \textbf{Other APIs}

  We have chosen to only highlight the most heavily used and promoted APIs here.  A short description of other development SDKs is given below in the Development Environment section.
\end{itemize}

\section{Development Environment}
BlackBerry has 5 different platforms! More detailed information about each environment is available on the BlackBerry Developers website\cite{DEV}. You should pick the framework that suits the application you are trying to are trying to create and the devices you want to target.
\begin{itemize}
 \item \textbf{Adobe AIR Tablet SDK (Tablet only)}

  Used for developing applications using Adobe based frameworks.  This is only currently supported for Tablets.
 \item \textbf{C/C++ Native Tablet SDK (Tablet only)}

  Building high performance native based applications and games.  This is also only currently supported for Tablets.
 \item \textbf{Android Runtime (Tablet Only)}

  Used for porting Android applications to BlackBerry.  This is also only currently supported for Tablets.
 \item \textbf{BlackBerry WebWorks}

  Used to build cross platform web-based applications that tightly integrate with BlackBerry Phones and Tablets.  WebWorks also supports industry standards like HTML5 and PhoneGap that allow web developers to build applications than span different smartphone platforms to even Android and iOS devices.  This is supported by all newer BlackBerry devices.
 \item \textbf{BlackBerry Java (Phones only)}

  Legacy SDK used by BlackBerry OS 4.0 and newer. Uses custom performance optimized JVM, etc.  It appears that the vast majority of applications and documentation is available for BlackBerry Java.
\end{itemize}

\subsection{Testing Frameworks}
Ripple Emulator\cite{RIP} can be used to test web-based applications on BlackBerry, iOS, and Android devices. Meant for use in writing WebWorks/HTML5 applications. It is also possible to download a full device simulator for ANY particular model of BlackBerry device\cite{SIM}. Device simulators are very capable, you can simulate basically anything you can do to a real device. From shaking, multi-touch, device orientation to network availability, bandwidth, security policies, etc.

\subsection{Downloading the BlackBerry SDKs}
The WebWorks SDK is heavily promoted on the BlackBerry website. You can download the SDK from here\cite{SDK}. The Smartphone SDK requires Java 1.6 32-bit SDK (not the 64-bit) installed. The Tablet SDK requires Adobe AIR v2.7+ installed. Developers preferring to work in Java can download the BlackBerry Java Plug-in\cite{JAV} for Eclipse which comes with dozens of sample projects and an integrated BlackBerry simulator.

\subsection{Application Signing}
If your application makes use of any protected APIs, it will work in a simulator but not on a real BlackBerry device unless the application has been signed by a key from the RIM Signing Authority. It is free to order a code signing key, all that is required is registration with a valid e-mail address. For WebWorks API, you can find details for how to request keys, install them, and sign applications at \cite{SIGN}. To install code signing keys for the BlackBerry Java Plug-In for Eclipse, follow the instructions at \cite{JSIGN}. A BlackBerry Java project can then be signed by right clicking on the project, then selecting \textbf{BlackBerry $\xrightarrow{}$ Sign with Signature Tool}.

\subsection{Application Distribution}
Signed BlackBerry applications can be deployed to BlackBerry devices.  There are 4 ways applications can be installed onto a BlackBerry device.
\begin{enumerate}
 \item Pushed to device by a BlackBerry Enterprise Server by a system administrator.
 \item BlackBerry AppWorld marketplace by the user.
 \item Visiting a web URL of the signed application binary from the BlackBerry web browser.
 \item Downloaded to device from a computer by the user.
\end{enumerate}

\section{Sample Application}
We created a sample application `\textbf{NCSU Camera Demo Application}` using BlackBerry Java and ran it on BlackBerry Torch 9860 device.

The application allowed the user to use the camera (an interface with privileged APIs) to take a photo and to preview that image.   When satisfied, the user can to attach the picture, and a short text message, to a multi-part MMS message.  The destination is selected from a list of the device’s contacts pulled from phone’s address book using privileged J2ME Personal Information Management (PIM) APIs.  The MMS message is then sent, using privileged APIs, to the selected contact.

If running the simulator, you can load the NCSUCameraDemo.cod using the File menu. If running a real device, you can connect it to your PC using a USB cable and the BlackBerry Desktop Software.You can import the NCSUCameraDemo.alx file from the Applications menu in the desktop application. Once it has been loaded into the software catalog, you can select it to install it via USB to your BlackBerry device. After the NCSUCameraDemo.cod has been downloaded to the BlackBerry device, you should see the NCSU Camera Demo icon on the “Downloads” menu of the device. Start the application by selecting the NCSU Camera Demo icon.

On startup on a real device, you’ll be prompted if you want to mark the NCSU Camera Demo as a Trusted application.  If you don’t set it as a trusted application, some later API calls to retrieve PIM information will fail.  This prompt does not appear in the simulator. Once the application starts, the demo application includes a couple of prompts to help the user follow to understand the flow. When you take a picture, you will get a prompt about allowing the application to access the camera. You can approve this action and allow all future occurrences, if needed. Once you take the picture, use the BlackBerry button to pull up the menu and select Send. The MMS construction page allows you to pick from a list of names pulled using PIM APIs from your phone’s Contact List.  If the application was untrusted, this is where it would crash!  Subject is included in the body of the message while the Message section and the Image taken earlier are included as attached parts to the MMS, similar to MIME e-mail messages. When satisfied with your message, use the BlackBerry button again to pull up the menu and select Send.  This will transmit the MMS message.
\begin{figure}
  \centering
  \subfloat[Home Screen of Device]{\includegraphics[width=0.3\textwidth]{Camera1}}                
  \subfloat[Startup Screen of the app ]{\includegraphics[width=0.3\textwidth]{Camera2}}
  \subfloat[Send MMS screen of the app]{\includegraphics[width=0.3\textwidth]{Camera3}}
  \caption{NCSUCameraDemo Application}
\end{figure}
\section{Security Framework for BlackBerry}
BlackBerry users can generally be divided into two camps: consumers who bought and own their BlackBerry, and enterprise end-users who are given the use of a BlackBerry by their employers. Consumer devices are generally configured to use BlackBerry Internet Service (BIS), while enterprise devices are generally configured to use BlackBerry Enterprise Server (BES). In a BIS environment, the end-user is generally responsible for the appropriate configuration of security measures. In a BES environment, the end-user has a certain amount of control, but security is usually enforced by the enterprise, via the use of an IT Policy and Application Controls. More comprehensive controls are available in a BES deployment than in a BIS deployment, and the default configuration of an enterprise device is generally more constrained than the equivalent consumer deployment of that device (for example, the firewall is enabled by default).

Most of BlackBerry security is controlled by the definition and implementation of Policies. There are over 400 IT policies published by RIM. In case of the enterprise scenario these policies are controlled by the IT administrator of the enterprise. These policies can be pushed to all the devices of the enterprise. In case of the regular user the user needs to define all the policies he/she wants to. For e.g. there are policies that limit installation of third party applications, disallow inter-application communication, force password use, etc. These policies if used wisely can reduce a number of threats to the mobile device.

\subsection{OS Protection}
Only the BlackBerry JVM and lowest-level firmware are written in native code (C/C++, ASM), which eliminates a large portion of the BlackBerry’s attack surface that may be vulnerable to buffer overflows and other memory corruption issues. To stop buffer overflows and control the behavior of BlackBerry Java applications, RIM disallows Java native invocation (JNI) and Java reflection. JNI allows Java code to bridge to native C/C++ code, and allowing its use would enable Java applications to access unintended functionality or corrupt memory. Java reflection can be used to circumvent the public/private access restrictions on Java classes, and its use could allow applications to invoke internal system methods. 

All applications for the BlackBerry OS have to be written in Java. Since Java is a type safe language and there is no native code involved in the apps, theoretically a privilege escalation attack is not possible in BlackBerry OS. 
But, a vulnerability that could allow elevation of access privilege on a BlackBerry PlayBook tablet was found in the BlackBerry PlayBook service used to share files over a USB connection between the tablet and a computer running BlackBerry Desktop Software.  A user could execute specially crafted code to use this vulnerability to manipulate a BlackBerry PlayBook backup archive file and alter a specific configuration file in order to gain root user privileges (access to system administration-level functionality) on the BlackBerry PlayBook tablet. An individual attempting to use this vulnerability to gain root privileges to the BlackBerry PlayBook tablet requires local access to both the tablet and to the connected computer running BlackBerry Desktop Software, including knowledge of any security passwords that are set. Hence this vulnerability cannot be exploited by a remote attacker and it presents a low security risk of elevation of privilege attacks against BlackBerry PlayBook tablet users.

\subsection{System Protection}
BlackBerry involves multiple layers of protection for its OS. It begins with a user turning on the device. Each time a user turns on a BlackBerry® device, specific components on the device automatically check the authenticity of the device operating system and the integrity of the BlackBerry® Device Software. The BlackBerry Device Software must pass these security checks before the user can run the BlackBerry Device Software and before the user can update the BlackBerry Device Software over the wireless network.

BlackBerry also places many restrictions while running applications on the device. BlackBerry utilizes a proprietary operating system, its third-party application framework is based entirely on Java. The BlackBerry implements J2ME (MIDP2) and CLDC, as well as a number of RIM specific APIs. Third party applications must be written in Java and can make use of RIM's custom classes in order to obtain access to enhanced functionality. By default, unsigned applications have very limited access to this enhance functionality. Applications must be signed by RIM in order to perform actions which are deemed sensitive such as enumerating the Personal Information Manager or reading emails. Even signed applications may require user permission to carry out sensitive actions such as initiating phone calls.

Applications targeted for BlackBerry devices are written in Java and then compiled into proprietary .cod files. The Java byte code is "pre-verified" as valid on the PC side (in accordance with J2ME standards) before being compiled into a .cod file. It can then be transmitted to the BlackBerry for execution. Pre-verification means that the class files are subjected to certain security checks, and then annotated to show that these checks have been carried out. When the JVM on the BlackBerry loads the class, it can read this annotation, and hence perform its own verification and security checks much faster. Changes to these annotations after pre-verification can be detected at runtime and the JVM runtime verifier will reject the affected class files before they are executed\cite{CLDC}.

As previously mentioned, in order for an application to get full access to the API’s, the application must be signed by RIM. In order to obtain signatures for their applications, developers must first fill out an online form to receive a developer key. RIM provides a signing tool that sends the SHA1 hash of the application to RIM. Once this hash is received by RIM they will in turn generate a signature. This signature is then sent back to the developer and appended to the application. When the signed .cod is loaded onto the BlackBerry, the Java Virtual Machine (JVM) links the .cod file with the appropriate API libraries and verifies that the application has the required signatures. If a required signature is missing, the JVM will either refuse to link the application, or calls to the controlled API will fail at run-time with an error message. In case an application is modified after signing, during runtime the application is run with the permissions equivalent of an unsigned application.

Code signing is a good technique to hinder the effective deployment of malware, but signatures can be obtained with relative ease\cite{DA}. This link provides information on how to easily obtain fake credit cards and charge them locally, thus making it impossible for RIM to trace the malicious programmer. RIM has to ability to revoke signing keys i.e. it prevents their use for future applications. But code that has already been signed cannot be revoked. It can be blocked by policy definition in case of BES deployment, but unless the user knows that the application is malicious the user will unknowingly continue using it.

Care has to be taken that the host machine that contains the keys used for signing the application should be well protected.This helps lower the risk of the keys getting stolen. One point worth mentioning is that the keys used for signing are themselves encrypted by default and user needs to enter a passphrase to decrypt them ad initiate the code signing process. An offline brute force attack is not possible because the only way to know if the passphrase was correct or not is to initiate code signing across the BlackBerry network and see if it was successful. This code signing process is monitored by RIM to maintain a number of unsuccessful signing events, so it can determine if it was an attempt to brute force the password of the key. But other techniques like keyloggers can be used to determine the password if the host machine that stores the key is compromised\cite{BAC,PBM}.

\subsection{Device Protection}
A BlackBerry® device processor provides an authentication method that is designed to verify that the boot ROM code is permitted to run on a device. The manufacturing process installs the boot ROM code in flash memory on the device. The boot ROM code is the root of trust on devices. The RIM® signing authority system, which signs the boot ROM code for a device during the manufacturing process, uses an RSA® public key to sign the boot ROM code. The processor is configured during the manufacturing process to store information that the processor can use to verify the digital signature of the boot ROM code. When a user turns on a device, the processor runs internal ROM code that reads the boot ROM from flash memory and verifies the digital signature of the boot ROM code using the RSA public key. If the verification process is successful, the boot ROM is permitted to run on the device. If the verification process is not successful, the processor stops running. The process of binding a processor to a boot ROM can occur when the processor is manufactured, the device is manufactured, or the BlackBerry® Device Software is configured, depending on the manufacturer and model number of the processor\cite{STR}.

\subsection{Resource Protection}
Based on the deployment of the device the policy for the resource changes. For the BlackBerry devices deployed to individual users, basic permissions for applications can be set under the Application Permissions menu under the Security Options tab.
\begin{figure}[htp]
 \centering  \includegraphics[width=.6\textwidth]{bbpermissions}
\caption{Change permissions for a particular application}
\end{figure}
Using this the user can edit permissions for a single application or the default policy for the device. Here RIM assumes that the user is security aware to a certain extent and understands which applications to allow certain accesses and which applications to deny. Permissions can be set for three broad areas: "Connections"
"Interactions" and "User Data". These can be set to "Allow" or "Deny". Alternatively they can be set to
"Custom", in which case more granular permissions are set for individual areas. There is also an option provided for Firewall access. By default the firewall is disabled. If the user enables firewall, he/she is prompted subsequently before network connections are allowed. The user also has option of blocking SMS, MMS, PIN or E-mail(via BIS).

In the case of BlackBerry devices provided to the employees by an enterprise\cite{ESS}, the enterprise sets up policies for the device using IT Policy rules and Application Control. This allows the enterprise to push these policies to any device that it has provided to its users. Employees can only increase restrictions on their device not decrease. The end user still has access to set Application permissions and Firewall settings on the device. But the IT Policy rules take first precedence then come the Application Control Policy rules, followed by end-user settings. Employees are also allowed to setup Firewall policies.

\subsection{Network Protection}
BlackBerry Enterprise Server provides the users with an option to encrypt the connections between the device and the network using either AES or Triple DES. Private encryption keys are generated in a secure, two-way authenticated environment and are assigned to each BlackBerry smartphone user. Each secret key is stored only in the user's secure enterprise account and on their BlackBerry smartphone and can be regenerated wirelessly by the user. Data sent to the BlackBerry smartphone is encrypted by BlackBerry Enterprise Server using the private key retrieved from the user's mailbox. The encrypted information travels securely across the network to the smartphone where it is decrypted with the key stored there. Data remains encrypted in transit and is never decrypted outside of the corporate firewall. 

The BlackBerry Internet Service encrypts email messages that it sends and receives using SSL if the external messaging server (POP over SSL, IMAP over SSL, or Microsoft® Outlook® Web Access) supports SSL encryption. External messaging servers use a standard TCP connection if an SSL connection is not supported. 

Your BlackBerry® PlayBookTM tablet supports multiple security methods that are designed to encrypt wireless communications over the Wi-Fi® network between your tablet and either a wireless access point or a network firewall. The tablet rejects incoming connections, supports limited connections in Wi-Fi infrastructure mode only, and prevents Wi-Fi peer-to-peer (ad-hoc networking) connections.

\subsection{Application Protection}
The BlackBerry OS is designed to permit code signing keys in the header information of each encrypted file on the external memory device. It is also designed to check the code signing keys when the device opens the input or output streams of the encrypted files. Only applications that are signed by the same key can communicate with each other. Also this is governed by an IT Policy \textit{`Is Access to the Interprocess Communication API Allowed application control policy rule`}. Besides this check the BlackBerry Tablet OS runs each process in a user space on the tablet. To help protect a user space, the BlackBerry Tablet OS is designed to evaluate the requests that processes make for memory outside of the user space. The BlackBerry Tablet OS is designed to permit a process to access only the memory that it has permissions for at a specific time. 


\subsection{Data Storage and Privacy}
A BlackBerry device user can turn on content protection to configure a locked device to encrypt stored user data and data that the locked device receives. A locked device is designed to use AES-256 encryption to encrypt stored data and an ECC public key to encrypt data that the locked device receives\cite{BB1}. 
%insert figure here
A BlackBerry device uses the principal encryption key to encrypt the device transport keys that are stored in flash memory. The device encrypts the principal encryption key using the content protection key. When a locked device receives data that is encrypted using the device transport key, it uses the decrypted principal encryption key to decrypt the device transport key in flash memory and then uses the decrypted device transport key to decrypt data. To protect the data that a BlackBerry® device stores on a media card, you can configure the External File System Encryption Level IT policy rule, or a user can configure the corresponding option on the device. You can use this rule or option to configure whether the device encrypts the data using a password that a user provides, a device key that is randomly generated and stored in the NV store, or both.

\subsection{User Security and Privacy}
BlackBerry OS as well as the tablet OS have an option to turn on Content Encryption. This encrypts all the user data on the device. In order to decrypt the data, the user has to enter a password chosen when this option was turned on.
RIM provides users BlackBerry Protect, a software that can be installed on the BlackBerry device. It helps the user in situations where the device is lost or misplaced. In that case the user can lock the data on the device and search for it on the BlackBerry website\cite{BBP}. If the user feels that the device has been stolen the the user can securely delete the data from the device. It also allows the user to switch smartphones i.e. the user can restore all the lost data and settings in a new phone. This can also be performed at a corporate level, where the enterprise manages this feature for the employees.

\subsection{Physical Protection}
BlackBerry OS as well as the tablet OS provide Secure Boot. Boot ROM code is signed by RIM signing authority system using RSA public key. During the booting process, the processor verifies the signature on the Boot ROM code using the key hardcoded into the processor during the manufacturing process. If the verification process is successful, the boot code is allowed to run else the processor stops. There is no specific firmware replacement available for BlackBerry as of now, but XDA is thinking of releasing one for BlackBerry Playbook. There is a root available for BlackBerry PlayBook by DingleBerry, it allows users to obtain root access on the PlayBook when it is in the development mode, using SSH on a desktop/laptop. It requires the PlayBook OS to be downgraded to version 2.0.0.4869. If the PlayBook is restarted, then the user needs to go through the whole process of connecting the PlayBook to the desktop/laptop and starting a connection via SSH in development mode.

\bibliography{blackberry}
\bibliographystyle{abbrv}

\end{document}
